diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3fac927
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+# Ansible scripts for our private Intel NUC servers
+
+## TODO
+
+- firewall
diff --git a/playbooks/all.yml b/playbooks/all.yml
index 93e5419..9d932e5 100644
--- a/playbooks/all.yml
+++ b/playbooks/all.yml
@@ -1,9 +1,6 @@
----
-- name: Install pizzeria static website
+- name: Setup everything
   hosts: nucs
   roles:
+    - ssh
     - pizzeria
-- name: Install Syncthing
-  hosts: nucs
-  roles:
     - syncthing
diff --git a/playbooks/ssh.yml b/playbooks/ssh.yml
new file mode 100644
index 0000000..b84b88f
--- /dev/null
+++ b/playbooks/ssh.yml
@@ -0,0 +1,4 @@
+- name: Configure SSH
+  hosts: nucs
+  roles:
+    - ssh
diff --git a/roles/ssh/files/sshd_config b/roles/ssh/files/sshd_config
new file mode 100644
index 0000000..4c3715c
--- /dev/null
+++ b/roles/ssh/files/sshd_config
@@ -0,0 +1,41 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+HostKeyAlgorithms ssh-ed25519
+CASignatureAlgorithms ssh-ed25519
+HostbasedAcceptedKeyTypes ssh-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM no
+
+X11Forwarding yes
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
new file mode 100644
index 0000000..b5ffdfa
--- /dev/null
+++ b/roles/ssh/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Copy sshd config
+  copy:
+    src: "{{ role_path }}/files/sshd_config"
+    dest: /etc/ssh/sshd_config
+  register: sshd_config
+- name: Restart SSH service
+  systemd:
+    enabled: true
+    name: sshd
+    state: reloaded
+  when: sshd_config.changed